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In this paper we investigate lossy channel games under incomplete information, where two players 
operate on a finite set of unbounded FIFO channels and one player, representing a system component 
under consideration operates under incomplete information, while the other player, representing the 
component's environment is allowed to lose messages from the channels. We argue that these games 
are a suitable model for synthesis of communication protocols where processes communicate over 
unrehable channels. We show that in the case of finite message alphabets, games with safety and 
reachability winning conditions are decidable and finite-state observation-based strategies for the 
component can be effectively computed. Undecidability for (weak) parity objectives follows from the 
undecidability of (weak) parity perfect information games where only one player can lose messages. 

1 Introduction 

Lossy channel systems (LCSs), which are finite systems communicating via unbounded lossy FIFO 
channels, are used to model communication protocols such as link protocols, a canonical example of 
which is the Alternating Bit Protocol. The decidabihty of verification problems for LCSs has been well 
studied and a large number of works have been devoted to developing automatic analysis techniques. In 
the control and synthesis setting, where games are the natural computational model, this class of systems 
has not yet been so well investigated. In [Ij, AbduUa et al. establish decidability of two-player safety and 
reachability games where one (or both) player has downward- closed behavior (e.g., can lose messages), 
which subsumes games with lossy channels where one player (i.e., the environment) can lose messages. 
They, however, assume that the game is played under perfect information, which assumption disregards 
the fact that a process has no access to the local states of other processes or that it has only limited 
information about the contents of the channels. To the best of our knowledge, games under incomplete 
information where the players operate on unbounded unreliable channels have not been studied so far. 

We define lossy channel games under incomplete information and show that in the case of finite 
message alphabets, games with safety and reachability winning conditions ai^e decidable and finite-state 
observation-based strategies for the player who has incomplete information can be effectively computed. 

Algorithms for games under incomplete information carrying out an explicit knowledge based subset 
construction \9\ are not directly applicable to infinite-state games. Symbolic approaches [4] are effective 
for restricted classes of infinite-state games like discrete games on rectangular automata [5 1. The sym- 
bolic algorithms that we present in this paper rely on the monotonicity of lossy channel systems w.r.t. the 
subword ordering, which is a well-quasi ordering (WQO). It is well known that upward and downward- 
closed sets of words used in the analysis of lossy channel systems can be effectively represented by finite 
sets of minimal elements and simple regular expressions [2] , respectively. Unsurprisingly, the procedures 
for solving lossy channel games under incomplete information that we develop manipulate sets of sets of 
states. Thus, our termination arguments rely on the fact that the subword ordering is in fact a better-quasi 
ordering (BQO) |!7|'8^i|, a stronger notion than WQO that is preserved by the powerset operation |j6]. 

F. Mogavero, A. Murano, and M.Y. Vardi (Eds.): 

1st Workshop on Strategic Reasoning 2013 (SR' 13) © R. Dimitrova, B. Finkbeiner 

EPTCS 112, 2013, pp. 43-|5l] doi: 10. 4204/EPTCS. 11191 





44 



Lossy Channel Games under Incomplete Information 




a, : Kll 



ao : KIO, 
a, -.Kll 



r :L?1 




bo : L!0, 
b, :L!1 




f :L?0 



u 



f.LlO 



t:K\V 



M) : Receiver 



^/i : Sender 



Figure 1 : A communication protocol with partially specified RECEIVER process. For process RECEIVER 
we have Zq = {<^o,<^i,bo,bi,u} and £3 = {bo,bi}. The property that the implementation must satisfy is 
that location 4 in Sender is not reachable, i.e., the receiver does not acknowledge messages that have 
not been sent, and once all messages and acknowledgements from previous phases have been consumed, 
the receiver can only send one delayed acknowledgement. Note that by using an extra channel and an 
extra location in process RECEIVER we can ensure that the error location is in process RECEIVER. 

2 Lossy Channel Games under Incomplete Information 

Lossy channel systems are asynchronous distributed systems composed of finitely many finite-state pro- 
cesses communicating through a finite set of unbounded FIFO channels that can nondeterministically 
lose messages. We consider partially specified lossy channel systems, where the term partially specified 
refers to the fact that we consider a second ("friendly") type of nondeterminism, in addition to the ("hos- 
tile") one due to the model. More specifically, this second type of nondeterminism models unresolved 
implementation decisions that can be resolved in a favorable way. We consider the case when these de- 
cisions are within a single process, and thus we can w.l.o.g. assume that the system consist of only two 
processes: the process under consideration and the parallel composition of the remaining processes. 

Definition 1. A partially specified lossy channel system (LCS) is a tuple ^ = {s^o,£/[,C,M, 1,0, 1,1,1,^), 
where for each process identifier p G {0, 1}, £/p is a finite automaton describing the behavior of process 
p, C is a finite set of channels, M is a finite set of messages, £ = LqOLi is the union of the disjoint 
finite sets of transition labels for the two processes, and £3 C Zq is a subset of the labels of the partially 
specified process £/o. The automaton £/p = {Qp,q^p,5p) for a process p consists of a finite set Qp of 
control locations, an initial location and a finite set 5 of transitions of the form {q,a,Gr,Op,q'), 
where q,q' eQp,ae Lp, Gr:C^ {true, (= e), S {m-M*) \ m G M] and Op:C^ {\m, 7m, nop \ m G M}. 
Intuitively, the function Gr maps each channel to a guard, which can be an emptiness test, a test of the 
letter at the head of the channel or the trivial guard true. The function Op gives the update operation for 
the respective channel, which is either a write, a read or nop, which leaves the channel unchanged. 

Example. FigH] depicts a partially specified protocol consisting of two processes. Sender and Re- 
ceiver, communicating over the unreliable channels K and L. Process Sender sends messages to 
Receiver over channel K and Receiver acknowledges the receipt of a message using channel L. Note 
that we use guards that test channels for emptiness or test the first letter of their contents. 

The two processes are represented as nondeterministic finite-state automata. Process Sender es- 
sentially runs the Alternating Bit Protocol. Process RECEIVER, however, is only partially specified: 
its alphabet of transition labels Lq = {ao,ai,bo,bi,u} is partitioned according to the unresolved deci- 
sions in the process specification: The subset £3 = {bo,bi} of controllable transition labels specifies the 
unresolved implementation decisions, namely what bit to be sent on channel L at location 1. 
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The property that the protocol must satisfy is encoded as the unreachability of location 4 in process 
Sender. However, the automata can easily be augmented (with an extra channel and an error location 
in process Receiver) in a way that the error location is in process Receiver. The property states that: 

1. the receiver does not acknowledge messages that have not been sent, that is in location 2 in 
Sender the language of L is 0* and in location in Sender the language of L is 1*, 

2. once all messages and acknowledgements trailing from previous phases have been consumed (or 
lost), the number of delayed acknowledgements the receiver can send is bounded by one. 

A configuration 7= {qo,qi,w) of ^ is a tuple of the locations of the two processes and a function 
w : C ^ M* that maps each channel to its contents. The initial configuration of ^ is 7" = {qQ,q^,e), 
where e{c) = £ for each c ^C. The set of possible channel valuations is W = {w j w : C — )• M*}. 

The strong labeled transition relation — J-C {QqxQi xW) xZx {QqxQi xW) of ^ consists of all 
tuples {{qo,qi,w),a,{q'^,q\,w')) (denoted (^o,^i,w) A (^[),^j,w')) suchthatif a Grp,then q\^ = q^_p 
and there is a transition {qp,a,Gr,Op,q'p) € d such that for each c G C all of the following conditions 
hold: (1) if Gr(c) = (g m-M*) then w(c) G m-M*, (2) if Gr(c) = (= e) then w(c) = £, (3) if Op{c) =!m, 
then w'{c) = w{c)-m, (4) if Op{c) =?m, then m-w'(c) = w(c), and (5) if Op{c) = nop, then w'{c) = w{c). 

Let ^ denote the (not necessarily contiguous) subword relation on M* and let us define its extension 
to elements ofW as follows: vvi ^ W2 for wi,W2 G W iff wi(c) ^ W2(c) for every c G C. 

The weak labeled transition relation =>C (gg x 2i x W) x £ x {Qq x Qi x W) for is defined 
as follows: {qQ,qi,w) =^ {q'Q,q\,w') iff there exist w\ and W2 such that wi ^ w and w' ^ W2 and 
{qo,qi,wi) A {q'Q,q[,W2), i.e., the channels can lose messages before and after the actual transition. 

Definition 2 (LC-game structure with incomplete information). Let ^ = {£/o,£/\,C,M,'Lo,Li,'L^) be 
a partially specified LCS, and Cots C C be a set of observable channels that includes the set of all 
channels occurring in guards or read operations in jz/q. The lossy channel game structure with incomplete 
information for and Cots is W{J^,Cobs) = {S,I,^f,,C,M,'Lo,Li,L3,Cobs), where: 

• The set of states of ?f is 5 = {0, 1} x Qq x Qi xW. The first component p of a state {p,qQ,qi,w) 
identifies the process to be executed and the remaining ones encode the current configuration of 

The set of initial states of ^ is / = {{p,qo,qi,w) \ p G {0, 1}, qo = q^, q\ = q\, w = £}. 

• The labeled transition relations -^gQ S xLx S and =^gC 5 x Z x 5 of ^ are defined as follows: 
for states s = {p,qQ,qi,w) and s' = {p' ,q'Q,q[,w') and a G £ we have s Ag s' iff a ^ Lp and 
(^0)^1)^') A {q'Q,q\,w'), and we have s s' iff aeZp and {qQ,qi,w) 4> {q'Q,q'i,w'). 

Remark. The first component of states in S is used to model the interleaving semantics and is updated 
nondeterministically in the transition relation — s-^ (and =^g). For simplicity, in Definition |2] we do not 
make any assumptions about the nondeterministic choice of which process to be executed. One natural 
assumption one might want to make is that the selected process must have at least one transition enabled 
in the current state. This and other restrictions can be easily imposed in the above model. 

For the rest of the paper, let = W{^,Cobs) = {S,I,^g,C,M,Lo,Li,L3,Cobs) be the LC-game 
structure with incomplete information for a partially specified LCS ^ and observable channels Cobs- 
Player^ plays the game under incomplete information, observing only certain components of the 
current state of the game. Let Hobs = Cobs — >■ (^U {e}) and Obs = {0, 1} x 2o x Hobs- The observation 
fiinction obs : S — > Obs maps each state s = {p,qo,qi,w) in to the tuple obs{s) = {p,qo,h) of state 
components observed by Player^, where for each c G Cobs, if P = i, then h{c) = £ and otherwise if 
w(c) = £, then h{c) = e and if w{c) =m-w' for some m £M and w' G M*, then h{c) = m. That is, when 
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p = we have for c G Cobs that h{c) is the letter at the head of w{c), when c is not empty. For o G Obs, 
we denote with States{o) = {.v € 5 | obs{s) = o} the set of states whose observation is o. 

Let ^0 = {{p,qo^q\_^w) G 5 | = 0} be the states where process is to be executed and S\ = S\Sq. 

The game ^ is played by Player^ and Player'^ who build up a play SQCiQaQSia^ai which is se- 
quence of alternating states in 5, labels in = Z3 U {_L} and labels in Z, starting with a state G I- 
Each time the current state is in 5o, Player^ has to choose a label from the set £3 U {_L}, that is either 
a label from £3 of a transition enabled in the current state, or can be the special element _L in case no 
transition with label in Eg is enabled or if there exists an enabled transition with label from Eq \^3- 

Let Enabled(5) = {a G Zq | 3s'. s -4g 5'}. Note that for states si,S2 G 5o with obs{si) = obs{s2) = o 
it holds that Enabled(.vi) = Enabled(.V2), and, abusing notation, we denote this set with Enabled(o). 

For an observation o = {0,qo,h), the set Ac?g(o) = (Enabled(o) nZa) U {_L | Enabled(o) nZg = 
or Enabled(o) n (Zq \^3) / consists of the transition labels that Player^ can choose in a set j G 5o 
with obs{s) = o. For a label G Z^ , the set Act\/{o,a^) = ({a^} nZg) U (Enabled (o) \Zg) consists of 
the transition labels which Player^ can choose when the current choice of Player^ is a^. 

The play is built by Players^ respecting the choices of Player ^ and the transition relation =^g. 
When Si G 5o, then G Acts{obs{si)) is the transition label chosen by Player^ after the play prefix 
soOQaoSiafai . ..af_iai-iSi and a,- G Act\/{obs{si),af). After Player^ has made his choice, Player^ re- 
solves the remaining nondeterminism by choosing a, and the successor state ^^,+1 to extend the play. 

A play in is a sequence n = soaQaoSia^aiSi . . . G (5- (Z^ ■'L-S)*US- (Z^ •Z-i')'*') such that 5'o G /, 
for every / > it holds that .v,- Si+i, and if Si G ^i, then a^ = ±, and if Si G Sq then af G Act3{obs{si)) 
and at G Act'^{obs{si),af). A play n is finite iff last(;r) has no successor in ^, where last(7r) G 5 is the 
last element of n. The set Prefs(^) C S ■ (Z^ • Z • 5)* consists of the finite prefixes of plays in ^, and we 
denote with Prefs3(^) = {n £ Prefs(^^) | last(;r) G 5o} the set of prefixes ending in Sq. 

A strategy for Player^ is a total function /g : Prefs3(^) Z^ such that faiTl) G Act^{obs{\ast{n))). 

The outcome of a strategy /g is the set of plays Outcome(/3) such that 71 = soagaosia^ai ... G 
Outcome(/g) iff for every i > with j,- G 5o it holds that af = fs{soaQaosia^ai . ..Si). 

We define a function obs^ : Prefs3(^^) {Obs ■ Zq)* • Obs that maps a prefix in Prefs3(^) to the se- 
quence of state and action observations made by Player^: obs^ {soaf^aos \a^a\ .. .Sn) = obs'{sQ) - obs' {an) ■ 
obs' {s\) ■ obs' {a\) . . . ■obs'{sn), where for 5 G 5, we define obs' {s) = obs{s) if 5 G 5o and obs'{s) = £ oth- 
erwise, and for a G Z we define obs' {a) = a if a G Zq and obs' {a) = £ otherwise. 

We call a strategy for Player^ obs'^ -consistent if for every pair of prefixes %\ and Tl2 in Prefs3(^) 
for which obs^{7t\) = obs^ {712) holds, it also holds that f3{7l\) = /^(7^2)■ 
We are interested m finite-state strategies for Player^, that is, strategies that can be implemented as 
finite automata. A finite state oZ75"'"-consistent strategy for Player^ in ^ is one that can be represented 
as a finite automaton .J^s = {Qs,q^, (Go x Hobs) x (^3 x ^o),P) with alphabet {Qq x Hgbs) x (2^g x Zq), 
whose transition relation p C {Q^ x ((Go x Hobs) x (Zg x Zo)) x Q^) has the following properties: 

(?) for each q G Qs, o G Go x Hghs, G Z^, a G Zq, and q'y,q'2 G Qs, it holds that if (^7, (o, {a^,a)),q'^) G 
p and {q, {o, {a^ ,a)),q'2) £ p, then q'y = q'2 (i.e., the transition relation p is deterministic), 

(//) for each q G Qs and o G Go x Hobs there exist a^ G Z^, a G Zq, q' G Qs with {q, {o, {a^,a)),q') G p, 
(///) if {q, {o, {a^,ai)),q'i) £ p and a2 £ Act\/{{0,o),a^), then {q, {o, (0^,02)), ^2) ^ P for some ^2 ^ Gi^ 
(iv) if (^,(o,(af,ai)),^i) G p and (^, (o, (af ,a2)),?2) e P, then = af . 

The automaton defines an ofo"'"-consistent strategy /a for Player^. According to the properties 
of for each 71 G Prefs3(^) with obs~^{7r) = ooaoo\ai . . .o„_ia„_io„ there exists a unique sequence 
aQafa^_i G Z^ " such that there is a run of (also unique) on the word OQUQaooia^ai . . . o„_ia^_ja„_i. 
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Let q be the last state of this run. We then define /^(Tr) = a^, where G is the unique label that 
exists by conditions (//) and (/v) such that there are a G Lq and q € Qg such that {q, {on,{a^,a)),q') G p. 

We now turn to the definition of winning conditions in LC-games under incomplete information. We 
consider safety and reachability winning conditions for Player^ defined by visible sets of states in ^. A 
set r C 5 is visible iff for every j G T and every s' e S with obs{s') = obs{s) it holds that s' G T. 

A safety LC-game under incomplete information Safety (^^,£'rr) is defined by a LC-game structure 
with incomplete information ^^ and a visible set Err of error states that Player^ must avoid. A strategy 
/g for Player^ is winning in Safety (^jSrr) iff no play in Outcome(/3) visits a state in Err. 

Note that according to this definition, Player^ wins finite plays that do not reach an error state. If we 
want to ensure that plays reaching a state in that corresponds to a deadlock in ^ are not winning for 
Player^, we can easily achieve this by appropriately instrumenting and Err. 

A reachability LC-game under incomplete information Reach (^^,Goa/) is defined by a LC-game 
structure with incomplete information ^ and a visible set Goal of goal states that Player^ must reach. A 
strategy /g for Player^ is winning in Reach ($f , Goal) iff each play in Outcome(/3) visits a state in Goal. 

Remark. The definition of visible sets allows that Errr\S\ 7^ and Goalr\S\ 7^ 0. Thus, our definition 
of visible objectives does not require that for each pair of plays n\ and 712 with obs^{K\) = obs^{n2) 
(where obs~^ is defined for plays analogously to prefixes) it holds that Player^ wins Tti iff he wins 7V2- 
For the algorithms, which we present in the next section, for solving safety and reachability LC-games 
under incomplete information, the objective for Player^ does not have to satisfy this condition. 

3 Algorithms for Solving Safety and Reachability Games 

Better-Quasi Orderings. The subword ordering ^ on M* is a WQO (and so is the ordering ^ on W 
defined earlier). That means, it is a reflexive and transitive relation such that for every infinite sequence 
Wo, wi , . . . of elements of M* there exist indices < ? < j such that w; :< wj. 

The subword ordering (as well as other WQOs commonly used in verification) is in fact also a BQO, 
and so is the ordering on W. Hence they are preserved by the powerset operation. Here we omit the 
precise definition of BQOs since it is rather technical and it is not necessary for the presentation of our 
results. When needed, we recall its properties relevant for our arguments. 

We extend ^ to a BQO ^ on the set S of states in W in the following way: for .v = {p,qo,q\,w) G 5 
and s' = {p' ,q[).q\,w') G 5, we have s <s' Hi p = p' , qo = q[), q\ = q'l, obs{s) = obs{s') and w < w' . 

A set r C 5 is upward-closed (respectively downward-closed) iff for every s and every / G 5 
with s ^s' (respectively s' < s) it holds that s' G T. The upward-closure of a set T C 5 is T t= G 
5 I 3*. 5 G r and 5^5'}. For each upward (respectively downward) closed set T C 5 and o G Obs, the 
set r' = G r 1 obs{s) = 0} is also upward (respectively downward) closed. We let ^ohs{S) = {u <ZS \ 
M / 0, M = M t and 3o G Obs.\/s G u. obs{s) = 0} and for u G %,hs{S) we define obs{u) in the obvious 
way. The set &obs{S) and obs : !^obs{S) — )> Obs axe defined analogously, requiring that the elements are 
downward-closed instead of upward-closed. (5) is the set of finite sets in ^0^(5). 

The transition relation enjoys the following property: if s s' and s ^ s", then s" .v'. Thus, 
the set of predecessors w.rt. some a G £ of any set of states is upward-closed. For LCSs the set of 
successors w.rt. some a G T of any set of states is a downward-closed set. 

Let Pre : ^(5) x E -)■ ^(5) be the function defined as Pre(r,a) = {s e S \3s' eT. s s'} and let 
Post : J^(5) X E J^(5) be the function defined as Post (J, a) = {j G 5 | 3^' G T. s' s}. As recalled 
above, for each T C 5 and each a G E, Pre(r,a) is upward-closed and Post(r,a) is downward-closed. 



48 



Lossy Channel Games under Incomplete Information 



We define the functions Preo : x Eo ^ ^fU'^obs{S)) and Prei : ^^,^(5) -> ^^fU%hs{S)) 

that map a set m € ^„hs{S) to a finite set of upward-closed sets that partition the respective set of pre- 
decessors of u according to the observations Player^ makes. Formally, Preo{u,a) = {u' G '^^obs{S) \ 
3o G Obs. u' = P re{u, a) n States {o)} and Prei(M) = {u' G '^ofc(5) | 3o G Obs. u' = (UaeSi Pre(M,a)) fl 
States{o)}. Similarly, using the function Post above, we can define the successor functions Posto : 
%h.s{S) X lo ^ ^fm{%bs{S)) and Posti : %h.s{S) ^fm{%h.siS)). Since the transition relation of ^ 
has finite branching, ifde (S) then d' G ^^fol"^) for d' G Posto{d,a) or d' G Posti {d). 

When analyzing LCSs, upward-closed sets are typically represented by their finite sets of minimal el- 
ements, and downward-closed sets are represented by simple regular expressions. These representations 
can be extended to obtain finite representations of elements of '^ohs{S) and &„hs{S). By the definition 
of ^ on S, each visible set of states is upward-closed, and hence, the sets Err and Goal in safety and 
reachability games are finitely representable. In the rest, we assume that they are represented such a way. 

Our termination arguments rely on the following property: For every BQO ^ on a set X, the superset 
relation ^ is a BQO on the set of upward-closed sets in ^(Z) and the subset relation C is a BQO on the 
set of downward-closed sets. This implies that ^ is a BQO on ^ofo l*^) and that C is a BQO on &„hs{S). 

LC-games under incomplete information with safety objectives. We describe a decision procedure 
for safety LC-games under incomplete information which is based on a backward fixpoint computation. 

Each step in the fixpoint computation corresponds to a step in the game, which is not necessarily 
observable by Player^. Thus, this construction is correct w.r.t. Player^ strategies that are oZ^^-consistent, 
where, intuitively^Jie function obs maps a prefix to a sequence that includes also the (trivial) observations 
of 5i states, and ofc-consistency is defined analogously to ofo"'"-consistency. To avoid this problem, our 
algorithm performs the fixpoint computation on a LC-game structure with incomplete information ^ 
obtained from W by adding an idle transition for process 1. This game structure has the following 
property: Player^ has an oZj5'^ -consistent winning strategy in the game Safety {'^ , Err) iff Player^ has 
an oZ75-consistent winning strategy in Safety(Sf,£'rr), which yields correctness of the algorithm. 

Formally, the function obs : Prefs3(^) — > {Obs* -Eq)* Obs is defined as: obs{soaQao ■ ■ -Sn) = 
obs{so) ■ obs'iao) ■ obs{sn). The game structure ^ is the tuple ^ = (Sj/j^gjCjMjEoi^ij^gjCofc) 
where Ei = Ei U {idle} and idle ^E, and = —^g \J{{{\,qo^q\^w),idle, {p' ,qo,qi,w)) \ p' G {0, 1}}. 

We define the set ^{S) for S as ^{S) = {/ G ^fin('^ofo(5)) | / / and 3o G Obs.yu G /. obs{u) = o} 
and define obs{l) for each I G ^{S) in the obvious way. We provide a fixpoint-based algorithm that 
computes a set B C Jf{S) such that each / G B has the following property: if A' C 5 is the set of states 
that the game can be currently in according to Player^'s knowledge and ^Plw ^ for every m G /, then 
Player^ cannot win when his knowledge is K. Considering the set / of initial states, if for some / G B it 
holds that/nw / for all uel, then Player^ has no oZ?^^ -consistent winning strategy in Safety (Sfji'rr). 

Our procedure computes a sequence Bq C B\ C B2.. . of finite subsets of ^(5). The computation 
starts with the set Bq = {{ErrH States {o)} \ o G Obs}. For / > 0, we let B,+i = B/ UA^/+i, where the set 
A^,+i of new elements is computed based on B, and is the smallest set that contains each / G ^{S) which 
is such that / C [ji'eB,.,u'ei'i{iJaeZo Preo{u\a)) U Prei(M')) and: 

• if / G ^(^(5o)) then for every possible choice a^ G Act3{obs{l)) of Player^, there exist an action 
a eAct\/{obs{l),a^) and I' G B,- such that for every u' G I' it holds that Preo{u' ,a)r\l / 0, 

• ifle^{^{Si)) then tiiere exists /' G B,- such that for every u' G /' it holds tiiat Prei {u') n / 7^ 0. 

The ordering C on =Sf (5) is defined such that for /, /' G ^(5), we have / C /' iff for every m G / there 
exists au' el' such that u^u' . The ordering C is a BQO, since D is a BQO on '^obs{S)- Intuitively, if / 
belongs to the set of elements of ^(5) in which Player^ cannot win, so does every /' with / C /'. 
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We say that the sequence 80,81,82. ■■ converges at k if M\n {8^+1) C Min(Si;), where Min(B,) is the 
set of minimal elements of 8i w.r.t. C. This condition can be effectively checked, since each B,- is finite. 
We argue that there exists a A: > such that the sequence computed by the procedure described above 
converges at k (and hence the procedure will terminate). 

Let Fo,Fi,F2,...he the sequence of upward-closed elements of ^{^{S)) where Fj = 8i t for each 
/ > 0. As Fo , Fi , F2 . . . is a monotonically increasing sequence of upward-closed sets of elements of JSf (5) , 
it must eventually stabilize, i.e., there is a A: > such that Fyt+i C F^. Thus, since T^+i ^ F, if and only if 
Min(S,+i) C Min(S,), the sequence So,Si,S2 . . . is guaranteed to converge at some A: > 0. 
Proposition 1. Let B = B^, where the sequence 80,81,82... converges at k. Then, Player^ has an 
obs -consistent winning strategy in Safety {"^^ , Err) iff for every I € 8 there exists u & I with m H / = 0. 

If Player^ has an obs-consistent winning strategy in Safetyi^ , Err), then Player^ has a finite-state 
obs^ -consistent winning strategy in the original game Safety (^jFrr). 

Proof Idea. A counterexample tree for Safety (^jFrr) represents a witness for the fact that Player^ does 
not have an oZ^^-consistent winning strategy in Safety ,Err). It is a finite tree with nodes labeled with 
elements of ^obs{S). If there is a / G S such that mPi / 7^ for every u el, a counterexample tree can be 
constructed in a top-down manner. For the other direction we can show by induction on the depth of the 
existing counterexample trees that there exists a / G B such that m n / ^ for every m € /. 

For the case when Player^ wins the game Safety (^jFrr) we can construct a finite-state obs~^- 
consistent winning strategy for Player^ in the game Safety (^jFrr) by using as states for the strategy 
automaton functions from observations to a finite set Y C ^f\„{j^{S)) each of whose elements V pre- 
serves the invariant that for every Z G S there exists auEl such that u n Uvgv ^ = 0. □ 

LC-Games under incomplete information with reachability objectives. For reachability games 

we give a procedure based on forward exploration of the sets of states representing the knowledge of 
Player^ about the current state of the game. Since Player^ can only observe the heads the observable 
channels, his knowledge at each point of the play is a finite downward-closed set, element of (5). 
To update this knowledge we define functions Postg^' : ^I'^^iS) x Eq ^fU^^Jbsi^)) and Postf' : 
^ohs(S) ^fU^ohsi^)) that map a set d e ('^) ^ ^ finite set of elements of &f;^,{S), each of 
which is a set of states that Player^ knows, according to his current observation, the game may be 
in after (a transition from Zq and) a sequence of transitions from Zi. For each d G (5) we have 
d' G Post(l'^{d,a) (respectively d' G Posti^''(^Z)) iff there exists a sequence do,di,. ..,d„e ^^^^(S) such 
that do G Posto(<i,a) (respectively do = d), for every 1 < / < 71 it holds that di-\ C and di G Posti (di-i), 
and for every < / < j < « it holds that <i, ^ dj and one of the following conditions is satisfied: (1) 
d' C Goal, d' = do and n = (i.e., d' C Goal fl Si), or (2) there exists a 1 < / < « such that di C J„ and 
d' = dn (i.e., d' C 5i), or (3) d' = {{0,q'Q,q\,w') \ {\,q'f^,q\,w') G U"=o^<} (i-e-, d' C 5o). 

We construct a finite set of trees rooted at the different possible knowledge sets for Player^ at location 
q^g. The nodes of the trees are labeled with knowledge sets, i.e., with elements of ^^^'1^^{S). The edges 
are labeled wit pairs of transition labels, i.e., elements of x Lo, where the first element of a pair is a 
possible choice of Player^ and the second element is a corresponding choice of Player^. 

Formally, the forward exploration procedure constructs a forest in which the roots are labeled 
with the sets {{0,qQ,q1,e)} and all the sets d G Post"'"' {{{\,q'^-,,q1,£)}\ Goal). At each step of the 
construction an open leaf node n with label d is processed in the following way: 

• If J C Goal, we close the node and do not expand further from this node. 

• lfd% Goal and either d CSq and there exists an ancestor of n that is labeled with d' and such that 
d' Qd,or d QSi, we close the node and do not expand further from this node. 
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• Otherwise, we add the set of successors of n: for each ^Actj{obs{d)), each a GActy{obs{d),a^) 
and each d' G Post[f"(J ,a) we add exactly one successor n' labeled with d' and label the edge 
{n,n') with {a^,a). The set of successors for {a^,a) is denoted with Children{n,a^ ,a). 

The finite branching of the transition relation of §f and the fact that C is a BQO on &^2{S) imply 
that each of the sets PosIq^^ {d,a) and Post°^^ (J) can be effectively computed, the set of roots and the 
out-degree of each node are finite, and the above procedure terminates constructing a finite forest 3^. 

We label each node n in ^ with a boolean value win{n). For a leaf node n with d{n) C Goal, we 
define win{n) = true and for any other other leaf node n we define win{n) = false. The value of a non- 
leaf node is computed based on those of its children by interpreting the choices of Player^ disjunctively 
and the choices of Player^ conjunctively. Formally, for every non-leaf node n we define win{n) = 
y a^eAct^(ohs{d(n))) AaeActs,{ob,{d{n)),a3) Ki' echiidren(n,a^ ,a) win{n'), whcrc d{n) is the sct of statcs labeUng n. 

Proposition 2. Player^ has an obs^ -consistent winning strategy in Reach (^#,Goa/) ijffor every root n 
in ^ it holds that win{n) = true. If Player^ has an obs^ -consistent winning strategy in Reach (^^, Goal), 
then he also has a finite state obs^ -consistent winning strategy in Reach (^^,Goa/). 

Proof Idea. If all the roots are labeled with true we can construct a finite-state oZ?^^ -consistent strategy 
winning for Player^ in Reach(?^, Goa/), by mapping each prefix in Prefs3(^^) to a label in Z^, deter- 
mined by a corresponding path in J7 and a fixed successful choice at its last node, if such path and choice 
exist, or given an appropriate default value otherwise. For the other direction we suppose that some root 
is labeled sNith false and show that for any oZjs^ -consistent strategy for Player^, we can use the tree 
to construct a play n G Outcome(/3) that never visits a state in Goal. □ 

LC-games under incomplete information with parity objectives. We now turn to more general 
a)-regular visible objectives for Player^ where the undecidability results established in [ 1] for perfect 
information lossy channel games in which only one player can lose messages, carry on to our setting. 

A visible priority function pr : Obs — )• {0, 1, . . . ,«} for natural number « € N maps each observa- 
tion to a non-negative integer priority. For an infinite play K = SQa^a^s^a^ai ... we define pr{K) = 
min{;?r(o) | o G InfObs{7i)}, where InfObs{n) is the set of observations that occur infinitely often in n, 
and define wpr{n) = mm{pr{obs{s())) ,pr{obs{si)) , . . .}. A parity (respectively weak parity) LC-game 
under incomplete information Parity {'^^ ,pr) (respectively WeakParity{'^ ,pr)) is defined by a LC-game 
structure with incomplete information ^ and a visible priority function pr. A strategy fj for Player^ is 
winning in the parity game Parity ,pr) (weak parity game WeakParityiW ,pr)) iff for every infinite play 
71 G Outcome(/3) it holds that pr{n) is even (respectively wpr{7i) is even). 

Proposition 3. The weak parity game solving problem for LC-games under incomplete information, that 
is, given a weak parity LC-game under incomplete information WeakParity{^ ,pr) to determine whether 
there exists an obs^ -consistent winning strategy for Player^ in WeakParity{'^^ ,pr), is undecidable. 

Proof Idea. In f\] it was shown that in the perfect information setting the weak parity problem for B- 
LCS games, which are games played on a finite set of channels in which player A has a weak parity 
objective and only player B is allowed to lose messages, is undecidable. Their proof (given for A-LCS 
games but easily transferable into a proof for B-LCS games) is based on a reduction from the infinite 
computation problem for transition systems based on lossy channel systems, which is undecidable |3l. 

We argue that this reduction can be adapted for our framework, with Player^ in the role of player A 
and Player^ in the role of player B. The fact that here Player^ choses only transition labels and plays 
under incomplete information does not affect the proof for B-LCS games, since there player A just 
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follows passively, while player B simulates the original system. The values of the priority function used 
in 111 do not depend on the contents of the channels. Thus, we can define a visible priority function. □ 

As a consequence, the parity game solving problem for LC-games under incomplete information is 
undecidable as well. As noted in [1], the construction from the proposition above can be used to show 
undecidabihty of A-LCS and B-LCS games with Bilchi and co-Biichi objectives. 

Summary of the results. The results of the paper are summarized in the following theorem. 
Theorem 1. For lossy channel game structures with incomplete information 

• games with visible safety or reachability objectives for Player are decidable, and when Player^ 
has an observation-based winning strategy, a finite-state such strategy can be effectively computed, 

• games with visible weak parity objectives for Player^ are undecidable. 

4 Conclusion 

We showed that the game solving problem for LC-games under incomplete information with safety 
or reachability objective for Player^ is decidable. LC-games under incomplete information with more 
general winning conditions, such as weak parity (as well as Biichi and co-Biichi) condition can easily be 
shown to be undecidable, using a reduction similar to the one described in [JJ for A-LCS games (which 
are perfect information games defined on LCSs in which only one player can lose channel messages). An 
orthogonal extension that is also clearly undecidable is decentralized control. This implies that suitable 
abstraction techniques are needed to address the synthesis problem within these undecidable settings. 
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